We can help you
Complete certification and lifecycle management
Common criteria evaluation
CCLab proposes a step-by-step approach to its clients. The target security level can be reached on an increasing basis: first solving the most aching problems, then strengthening the security of the IT system gradually. During security evaluations we follow a methodology based on our Common Criteria evaluation experience.
“To be effective, Application Security” needs to cover the entire product development lifecycle: from design to implementation and testing - including training:
- Security by design
BCM consulting, BCP and DRP creation, UAC (User Acceptance Test) and security testing design and management, site security screening
- Secure coding training
- Vulnerability assessment
Using Flaw Hypothesis Methodology to analyse the operation and reveal possible vulnerabilities.
- Penetration testing
Our methodology is broader than ethical hacking, as it has expanded from our systematic evaluation methodology, which focuses on practical implementation. (conceptual black box testing, gray box testing and white box testing)
Examples of errors that can be corrected during hardening: lack of input validation (SQLi, XSS, RFI, LFI); bypassing of entitlement levels; weakly or poorly implemented cryptographic algorithms; memory management problems (Buffer Overflow), session management issues (session fixation, replay attack); vulnerabilities due to incorrect configuration.
- Security audit
This is a full site inspection which involves recognizing human behavioural patterns; examining areas in accordance with regulations; observing and enforcing security measures and deception, distraction; human behavioural change and social engineering techniques by applying information security awareness control.
For mobile applications CCLab proposes to follow the OWASP Mobile Application Security Verification Standard. The evaluation process is based on MASVS-L1 Standard Security level and additionally extended to MASVS-L2 Defense-in-Depth level.
CCLab offers evaluation services for Common Criteria conformance. . Evidence for the software security shall be provided through the Evaluation and Certification according to the standards of the internationally recognized Common Criteria (CC) Certification Scheme. CCLab is licensed under the Italian Scheme (OCSI), which is part of CCRA and SOGIS as well. Our license is valid up to the Evaluation Assurance Level (EAL) 4+.
CCLab is also experienced in Common Criteria Consultations.
We can help if you require a Certificate under a National Scheme, or you look for a CC expert, who can help to get over the difficulties of certification.
Our Laboratory staff is highly experienced, involved in Common Criteria evaluations for more than a decade. We have already evaluated products for example in the following fields:
- remote Qualified Electronic Signatures and Seals (referred to collectively as QES) service according to eIDAS Regulation No 910/2014 at Sole Control Assurance Level 2 (SCAL2) according to EN 419241-1,
- composite evaluations based on a SmartCard platform for contact/contactless smart card with ePassport application as a whole ‘travel document’ (Machine Readable Electronic Document) and Qualified Signature Creation Device (QSCD) Java Card™ applet,
- high performance, low latency, multi-layer encryption appliance with web-based management software,
- Disk Sanitizing software application what provides Sensitive Data Protection,
- PKI based mobile ID solution for authentication server system for mobile-based second-factor authentication.
We can support you instantly. We use agile methodologies and toolsets imported from software development in project management and customer development. Thanks to our improved process EAL4+ certification is achievable within 4 months!
If you are not sure whether your product fits for a Common Criteria Certification, we offer Pre-evaluation services to prepare you for the Evaluation, in order to avoid delays and additional costs during the certification process. During pre-evaluation, our Consultants will evaluate the already existing documentation, help to define a Protection Profile or create a Security Target and will identify areas of non-conformance, or unmet criteria. We are looking forward to discussing your exact needs.
contact usMore about Common Criteria
The Smart Meter is an Intelligent Measurement Device which periodically records the measured values and sends the data encrypted to the Service Provider.
These devices need to be evaluated by an evaluation Laboratory, and need to be certified by METAS from 01.01.2020 according to Prüfmethodologie (Test Methodology for Execution of Data Security Evaluation of Swiss Smart Metering Components).
CCLAB evaluation methodology strictly follows the latest version of Pruefmethodologie issued by SWISSMIG.
The scope of evaluation methodology is based on the fulfilment of the requirements of the main components (HK):
- Smart metering device (iMG)
- Communication System (KS; Data concentrator (DC), other Gateway (GW))
- Head End System (HES) through the respective test object (ToE or PG)
A ToE contains at least one iMG and a HES.
The evaluation process is divided to two parts, document evaluation and penetration testing. The document evaluation consists of the following parts:
- IT-Security concept evaluation: 2-3 days
- Product development, architecture, functionality documentation evaluation: 3-4 days
- Product lifecycle document evaluation: 1 day
This is usually followed by an iteration, during which the manufacturer corrects the findings of the Laboratory.
Then comes the Penetration testing:
- Penetration tests on the test site: 10-12 days
If you are interested,
CCLAB is one of the 12 laboratories in the world that can issue FIDO certification in Authenticator Certification Level 2.
L2 evaluates FIDO Authenticator protection against basic, scalable attacks.
Authenticator Certification Level 1 is for:
any device HW or SW must defend against phishing, server credential breaches and MiTM attacks (better than passwords).
Authenticator Certification Level 1+ is for:
any device HW or SW should apply White Box Cryptography to defend against OS compromise.
At Authentication Certification Level 2:
the device must support allowed Restricted Operating Environment (ROE) (e.g. TEE, Secure Element), or intrinsically be a ROE (e.g. a USB token or Smart Card). It must defend against device OS compromise.
FIDO Authenticator Certification examples
- L1 - Downloaded app making use of Touch ID in iOS
- L1 - FIDO2 making use of the Android keystore. Keystore is not certified
- L1 - FIDO2 built into a downloadable web browser app
- L1+ - U2F in a downloadable app using white box and other techniques
- L2 - UAF implemented as a TA in an uncertified TEE
- L2+ - FIDO2 making use of the Android keystore. Keystore runs in a TEE that is certified at L2+
Did FIDO spark your interest?